SANS ISC InfoSec Forums

Update: Version 1.0.5 of the Google Chrome WebEx plugin, released this morning, fixes this issue.

The Google 0-Day project announced a critical remote code execution vulnerability in Cisco's WebEx plugin for Google Chrome. This vulnerability allows a remote attacker to execute arbitrary code on the victim's system by delivering it to the WebEx plugin via a special "secret" URL.

Google set up a test page and published a detailed report about how this vulnerability can be used to execute code [1].

Note that version 1.0.3 of the plugin, which was released on Sunday (Jan 22nd), appears to be still vulnerable. At this point, it is probably best to uninstall the plugin and use a different browser for WebEx (of course, this issue may affect plugins for other browsers as well).

An attack would be invisible to the user if executed "right". The user does not have to willingly join a WebEx meeting to exploit this vulnerability.

"issue 1100 is a bypass that still allows code execution on 1.0.5. I have reported it to Cisco PSIRT. The issue requires some details that maybe considered new vulnerabilities, so the details are not available here until a patch is available."

Could someone please share info on how to disable this extension in a corporate environment? Must be open to re-enable once the new version is available. :)

EDIT: The information at https://www.chromium.org/administrators/policy-list-3#ExtensionInstallBlacklist can be used to achieve this.
But is there a nice write-up of "this is how we manage Chrome in our Corporate Environment that you can point me to? :)

Tavis said updating Chrome would trigger an update of the plugins but another poster on the Project Zero page says he did that and the old extensions remained. So forcing an update of Chrome isn't going to update the Webex plugin?